Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <alpine.DEB.2.21.2603182108590.16613@seq4-head1.internal.sanger.ac.uk>
Date: Wed, 18 Mar 2026 21:09:56 +0000 (GMT)
From: Robert Davies <rmd@...ger.ac.uk>
To: oss-security@...ts.openwall.com
cc: samtools@...ger.ac.uk
Subject: HTSlib <= 1.23 Multiple vulnerabilities in the CRAM file reader


Multiple vulnerabilities, listed below, have been disclosed
in the HTSlib CRAM file reader.  These have all been fixed in
version 1.23.1, and fixes have also been back-ported to
versions 1.22.2 and 1.21.1


CVE-2026-31962 Severity: High
=============================

Heap buffer overflow in HTSlib CRAM reader due to improper validation of input

Description
-----------

HTSlib is a library for reading and writing bioinformatics file formats.
CRAM is a compressed format which stores DNA sequence alignment data.
While most alignment records store DNA sequence and quality values, the
format also allows them to omit this data in certain cases to save space.
Due to some quirks of the CRAM format, it is necessary to handle these
records carefully as they will actually store data that needs to be consumed
and then discarded. Unfortunately the cram_decode_seq() did not handle this
correctly in some cases. Where this happened it could result in reading a
single byte from beyond the end of a heap allocation, followed by writing a
single attacker-controlled byte to the same location.

Impact
------

Exploiting this bug causes a heap buffer overflow. If a user opens a file
crafted to exploit this issue, it could lead to the program crashing, or
overwriting of data and heap structures in ways not expected by the program.
It may be possible to use this to obtain arbitrary code execution.

Severity
--------

High CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Patches
-------

Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.

Workarounds
-----------

There is no workaround for this issue.

References
----------

https://github.com/samtools/htslib/security/advisories/GHSA-xxmp-v7h3-gpwp
https://www.cve.org/CVERecord?id=CVE-2026-31962


CVE-2026-31963 Severity: High
=============================

Heap buffer overflow in HTSlib CRAM reader due to improper validation of input

Description
-----------

HTSlib is a library for reading and writing bioinformatics file formats.
CRAM is a compressed format which stores DNA sequence alignment data. As
one method of removing redundant data, CRAM uses reference-based compression
so that instead of storing the full sequence for each alignment record it
stores a location in an external reference sequence along with a list of
differences to the reference at that location as a sequence of "features".
When decoding these features, an out-by-one error in a test for CRAM features
that appear beyond the extent of the CRAM record sequence could result in an
invalid write of one attacker-controlled byte beyond the end of a heap buffer.

Impact
------

Exploiting this bug causes a heap buffer overflow. If a user opens a file
crafted to exploit this issue, it could lead to the program crashing, or
overwriting of data and heap structures in ways not expected by the program.
It may be possible to use this to obtain arbitrary code execution.

Severity
--------

High CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Patches
-------

Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.

Workarounds
-----------

There is no workaround for this issue.

References
----------

https://github.com/samtools/htslib/security/advisories/GHSA-qgqh-h2q9-7w3c
https://www.cve.org/CVERecord?id=CVE-2026-31963


CVE-2026-31968 Severity: High
=============================

Buffer overflow vulnerabilities in HTSlib CRAM decoder

Description
-----------

HTSlib is a library for reading and writing bioinformatics file formats.
CRAM is a compressed format which stores DNA sequence alignment data using
a variety of encodings and compression methods. For the VARINT and CONST
encodings, incomplete validation of the context in which the encodings were
used could result in up to eight bytes being written beyond the end of a
heap allocation, or up to eight bytes being written to the location of a one
byte variable on the stack, possibly causing the values to adjacent variables
to change unexpectedly.

Impact
------

Depending on the data stream this could result either in a heap buffer
overflow or a stack overflow. If a user opens a file crafted to exploit
this issue it could lead to the program crashing, overwriting of data
structures on the heap or stack in ways not expected by the program, or
changing the control flow of the program. It may be possible to use this
to obtain arbitrary code execution.

Severity
--------

High CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Patches
-------

Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.

Workarounds
-----------

There is no workaround for this issue.

References
----------

https://github.com/samtools/htslib/security/advisories/GHSA-cgcm-c9r2-p57j
https://www.cve.org/CVERecord?id=CVE-2026-31968


CVE-2026-31969 Severity: High
=============================

Heap buffer overflow in HTSlib CRAM decoder

Description
-----------

HTSlib is a library for reading and writing bioinformatics file formats.
CRAM is a compressed format which stores DNA sequence alignment data using
a variety of encodings and compression methods. When reading data encoded
using the BYTE_ARRAY_STOP method, an out-by-one error in the
cram_byte_array_stop_decode_char() function check for a full output buffer
could result in a single attacker-controlled byte being written beyond the
end of a heap allocation.

Impact
------

Exploiting this bug causes a heap buffer overflow. If a user opens a file crafted to exploit this issue, it could lead to the program crashing, or overwriting of data and heap structures in ways not expected by the program. It may be possible to use this to obtain arbitrary code execution.

Severity
--------

High CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Patches
-------

Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.

Workarounds
-----------

There is no workaround for this issue.

References
----------

https://github.com/samtools/htslib/security/advisories/GHSA-q4cj-f4h5-fqgc
https://www.cve.org/CVERecord?id=CVE-2026-31969


CVE-2026-31971 Severity: High
=============================

Buffer overflow vulnerabilities in HTSlib CRAM decoder

Description
-----------

HTSlib is a library for reading and writing bioinformatics file formats.
CRAM is a compressed format which stores DNA sequence alignment data using
a variety of encodings and compression methods. When reading data encoded
using the BYTE_ARRAY_LEN method, the cram_byte_array_len_decode() failed to
validate that the amount of data being unpacked matched the size of the
output buffer where it was to be stored. Depending on the data series being
read, this could result either in a heap or a stack overflow with
attacker-controlled bytes.

Impact
------

Depending on the data stream this could result either in a heap buffer
overflow or a stack overflow. If a user opens a file crafted to exploit
this issue it could lead to the program crashing, overwriting of data
structures on the heap or stack in ways not expected by the program, or
changing the control flow of the program. It may be possible to use this
to obtain arbitrary code execution.

Severity
--------

High CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Patches
-------

Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.

Workarounds
-----------

There is no workaround for this issue.

References
----------

https://github.com/samtools/htslib/security/advisories/GHSA-jvx4-4wq7-6fmh
https://www.cve.org/CVERecord?id=CVE-2026-31971


CVE-2026-31964 Severity: Moderate
=================================

NULL Pointer Dereference in HTSlib CRAM decoder

Description
-----------

HTSlib is a library for reading and writing bioinformatics file formats.
CRAM is a compressed format which stores DNA sequence alignment data using
a variety of encodings and compression methods. While most alignment records
store DNA sequence and quality values, the format also allows them to omit
this data in certain cases to save space. Due to some quirks of the CRAM
format, it is necessary to handle these records carefully as they will
actually store data that needs to be consumed and then discarded.
Unfortunately the CONST, XPACK and XRLE encodings did not properly implement
the interface needed to do this. Trying to decode records with omitted
sequence or quality data using these encodings would result in an attempt
to write to a NULL pointer.

Impact
------

Exploiting this bug causes a NULL pointer dereference. Typically this will
cause the program to crash.

Severity
--------

Moderate CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Patches
-------

Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.

Workarounds
-----------

There is no workaround for this issue.

References
----------

https://github.com/samtools/htslib/security/advisories/GHSA-5w97-85gf-86rm
https://www.cve.org/CVERecord?id=CVE-2026-31964


CVE-2026-31965 Severity: Moderate
=================================

Out-of-bounds reads in HTSlib CRAM reader due to improper validation of input

Description
-----------

HTSlib is a library for reading and writing bioinformatics file formats.
CRAM is a compressed format which stores DNA sequence alignment data. In
the cram_decode_slice() function called while reading CRAM records,
validation of the reference id field occurred too late, allowing two out
of bounds reads to occur before the invalid data was detected.

Impact
------

The bug does allow two values to be leaked to the caller, however as the
function reports an error it may be difficult to exploit them. It is also
possible that the program will crash due to trying to access invalid memory.

Severity
--------

Moderate CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Patches
-------

Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.

Workarounds
-----------

There is no workaround for this issue.

References
----------

https://github.com/samtools/htslib/security/advisories/GHSA-mqm2-v645-3qhr
https://www.cve.org/CVERecord?id=CVE-2026-31965


CVE-2026-31966 Severity: Moderate
=================================

Out-of-bounds read in HTSlib CRAM reader due to improper validation of input

Description
-----------

HTSlib is a library for reading and writing bioinformatics file formats.
CRAM is a compressed format which stores DNA sequence alignment data. As
one method of removing redundant data, CRAM uses reference-based compression
so that instead of storing the full sequence for each alignment record it
stores a location in an external reference sequence along with a list of
differences to the reference at that location as a sequence of "features".
When decoding CRAM records, the reference data is stored in a char array,
and parts matching the alignment record sequence are copied over as necessary.
Due to insufficient validation of the feature data series, it was possible
to make the cram_decode_seq() function copy data from either before the
start, or after the end of the stored reference either into the buffer used
to store the output sequence for the cram record, or into the buffer used to
build the SAM MD tag. This allowed arbitrary data to be leaked to the calling
function.

Impact
------

This bug may allow information about program state to be leaked. It may also
cause a program crash through an attempt to access invalid memory.

Severity
--------

Moderate CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Patches
-------

Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.

Workarounds
-----------

There is no workaround for this issue.

References
----------

https://github.com/samtools/htslib/security/advisories/GHSA-5cj8-mj52-8vp3
https://www.cve.org/CVERecord?id=CVE-2026-31966


CVE-2026-31967 Severity: Moderate
=================================

Out-of-bounds read in HTSlib CRAM reader due to improper validation of input

Description
-----------

HTSlib is a library for reading and writing bioinformatics file formats.
CRAM is a compressed format which stores DNA sequence alignment data. In the
cram_decode_slice() function called while reading CRAM records, the value of
the mate reference id field was not validated. Later use of this value, for
example when converting the data to SAM format, could result in the out of
bounds array reads when looking up the corresponding reference name. If the
array value obtained also happened to be a valid pointer, it would be
interpreted as a string and an attempt would be made to write the data as
part of the SAM record.

Impact
------

This bug may allow information about program state to be leaked. It may also cause a program crash through an attempt to access invalid memory.

Severity
--------

Moderate CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Patches
-------

Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.

Workarounds
-----------

There is no workaround for this issue.

References
----------

https://github.com/samtools/htslib/security/advisories/GHSA-33x5-c6vj-8f2w
https://www.cve.org/CVERecord?id=CVE-2026-31967

-- 

The SAMtools team   https://www.htslib.org/  https://www.sanger.ac.uk/


----------------------------------------------------------------------
The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is Wellcome Sanger Institute, Wellcome Genome Campus, Hinxton, CB10 1SA.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.